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(Updated: September 15, 2014) 

Last week, on September 6, the US Justice Department released a declassified version of 
a 2004 memorandum about the STELLARWIND program. 

The memorandum (pdf) is about the legality of STELLARWIND, which was a program 
under which NSA was authorized to collect content and metadata without the warrants 
that were needed previously. 

Here we will not discuss the STELLARWIND program itself, but take a close look at the 
STELLARWIND classification marking, which causes some confusion. Also we learn about 
the existance of mysterious compartments that point to some highly sensitive but yet 
undisclosed interception programs. 

> See also: The US Classification System 
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Classification marking of the 2004 DoJ memorandum about STELLARWIND 



The redacted markings 



The first thing we see is that two portions of the classification marking have been 
blacked out: 
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1. The redacted space beween two double slashes 



This is very strange, because according to the official classification manuals, there 
cannot be something between two double slashes in that position (see the chart below). 
The classification level (in this case: Top Secret) has to be followed by the Sensitive 
Compartmented Information (SCI) control system (here: COMINT). 

But as the US classification system is very complex, there are often minor mistakes in 
such classification lines. If we assume there was a mistake made here too, then the first 
term that has been blacked out could be another SCI compartment, which had to be 
followed by just a single slash (for example HCS for HUMINT Control System would fit 
the redacted space, although that marking itself isn't classified). 

If there was no mistake, however, and the double slash is actually correct, then it would 
be a complete new category which isn't in the (public) classification manuals. This 
reminds of the UMBRA marking, which also appeared unexpectedly between double 
slashes in a classification line. 



US Classification I NoMJS Classification I Joint Classification 
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ClASSIFICATION//SCIi-XKX/SCI 2 //SAP//AEA//FSI XXX//OISSEM,/DISSEM,/(tllSSEM 

Portion and Earner Line Marking Separators: 

fi Double forward slash is used to separate marking categories 

/ Single forward stash is used to separate multiple values within a marking category 

Hyphen is used lo link a marking to a sub-marking (e g h Sl-G or RD-SIGMA) 
" " Space is used to separate multiple sub-markings and multiple trigraph or ietragraph codes in the 

FBI Marking (e g.. (/SI-ABD-G XYZWW. ffSAR-BP-123 XWCD-HHH JAW, or /(FGI GBR JPNff) 
, Comma is used to separate multiple tri graph or tetragjaph codes in the RELTO Marking 



Overview of the categories and formatting for the US classification and control markings 
From the Intelligence Community Classification Manual 6.0 from December 2013 
(click to enlarge) 



2. The redacted space directly after STELLARWIND 

The second redaction starts right after the last letter of "STELLARWIND", thereby 
carefully hiding the category of the redacted marking, which is determined by how it is 
separated from the previous term. This could be by a slash, a double slash, a hyphen or 
a space, each indicating a different level. 

In this case, the most likely option is that "STELLARWIND" is followed by a hyphen, 
which indicates the next term is another compartment under the COMINT control 
system, equal to STELLARWIND. 

Classification manuals say there are undisclosed COMINT compartments which have 
identifiers consisting of three alphabetical characters. This would fit the redacted space 
as it would read like: "COMINT-STELLARWIND-ABC". 

This undisclosed compartment probably also figured in some other declassified 
documents, where it sometimes seems to be accompanied by a sub-compartment which 
is identified by three numeric characters, like for example in this and this declaration 
where the marking could read like "COMINT-ABC 678": 
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agency? 
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The National Security Agency in 2002 

Snowden-documents show no 
evidence for global mass surveillance 
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Case4:0B-cv-D4373-JSW Documenl22b Filed05/05/14 Page? of 49 

III I I III I I III! I ^^Ml I I I II HI I III II I II II I II 

9. -fFftfrS}^BI^^^.TSI'//OCyNF) This declaration also contains information 
2 related to or derived from the Terrorist Surveillance Program (T SP), a controlled access signals 

Classified declaration of NSA director Alexander, April 20, 2007. 



Looking at what was redacted in portions of both documents which were marked with 
this mysterious compartment, it seems that it's about at least two highly sensitive 
intelligence sources and methods. For example, pages 31-32 of this declaration (pdf) 
suggest that this might be obtaining metadata from specific telecom companies and 
search them for members or agents of particular target groups. 



Case4:08-cv-04373-JSW Docjmerit222 FiledD5/D5/14 Pages of 31 

Approved for punllc release May 5. 2014 
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lnformation Concerning the Continuing al Qaeda Terrorist Threat 
Intelligence Sources and Methods 

(3) Mela Data Collection and Analysis 

(4) The Terrorist Surveillance Program 

(a) Focus of die TSP on al Qaeda Terrorist Targets 

(b) importance of the TSP 

Information that Would Confirm or Deny Intelligence Targets 



Classified declaration of Director of National Intelligence John Negroponte, May 12, 2006 
TSP = Terrorist Surveillance Program; HCS = HUMINT Control System 
Note that TSP and HCS are also between double slashes 
(click to open the full document in pdf) 



Markings with the mysterious undisclosed COMINT compartments weren't found on any 
of the Snowden-documents, but only on those that were declassified by the government, 
so it seems that Snowden had no access to information protected by these particular 
compartments. 

The marking TSP (for Terrorist Surveillance Program), which is in some of the examples shown above, was used 
instead of STELLARWIND in briefing materials and documents intended for external audiences, such as Congress 
and the courts. 



The STELLARWIND marking 

So far, we looked at the two parts of the classification marking that were blacked out. 
But now we also have to look at the STELLARWIND marking itself, which wasn't 
redacted, but still causes confusion. 

The classification marking of the 2004 memorandum of the Justice Department says 
"COMINT- STELLAR WIND" and according to the official formatting rules, this means that 
STELLARWIND would be part of the COMINT control system. 

Note that the same memorandum had already been declassified upon a FOIA request by the ACLU in 2011, but in 
that version (pdf) the codeword STELLARWIND was still blacked out from the whole document. Both documents are 
compared here. 
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Sequence of the real Red Phones, not 
for the Washington-Moscow Hotline, 
but for the US Defense Red Switch 
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here were in use from the early eighties 
up to the present day and most of them 
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Classification marking of the 2004 DoJ memorandum about STELLARWIND 



As COMINT is a control system for communications intercepts or Signals Intelligence, 
this seems to make sense. But what is confusing, is that the internal 2009 NSA 
classification guide (pdf) for the STELLARWIND program, which was disclosed by Edward 
Snowden, says something different. 

Initially this guide calls STELLARWIND a "special compartment", but from the marking 
rules it becomes clear that it is treated as an SCI control system. Accordingly, the 
prescribed abbreviated marking reads: "TOP SECRET // STLW / SI // ORCON / NOFORN". 
In this way we can see STELLARWIND in the classification line of the following 
document: 



lOff . KtiCJW ' T- 



<U) CL45S1 



CLA RATION 



IS. "~T8WM/flSI2J»urii»»:y to the standards in Executive Onto (E.O.) 1 .1526, this 
declaration is classified as: Tor '.in II I iiWi 1 1 "' ) ^^Blli ,1)1 ) 1 i n h ' il iil'l) The 
(Waits corjcemiit B thess olosaifieatjon tnark'utiBS a™ sa forth in the Classified NSA Dixlaralion 

Classification marking of a 2013 classified declaration (pdf) of DNI James Clapper 
which was declassified on May 6, 2014 
(click to enlarge) 



In this document and also in a similar declaration (pdf) from 2013, the reason for the 
STELLARWIND classification is explained as follows: 

"This declaration also contains information related to or derived from the 
STELLARWIND program, a controlled access signals intelligence program 
under presidential authorization in response to the attacks of September 11, 
2001. In this declaration, information pertaining to the STELLARWIND 
program is denoted with the special marking "STLW" and requires more 
restrictive handling." 



STELLARWIND is also being treated as a control system in the 2009 draft report about 
this program written by the NSA Inspector General, although its classification line is also 
somewhat sloppy: there are double slashes between STLW and COMINT (should just be 
a single one), and only a single one between COMINT and ORCON (where there should 
have been double slashes as both are from different categories): 



TQPSECRET//$rLW/Je&MlNT/ORCON/NOtORN 

ST-09-0002 WORKING DRAFT 
OFFICE OF THE INSPECTOR GENERAL 

NATIONAL SECURITY AGENCY 
CENTRAL SECURITY SERVICE 

24 March 2009 



Classification marking of the 2009 report about 

http://electrospaces.blogspot.com/2014/09/about-stellarwind-and-another.html 




were made by Electrospace Systems 
Inc. They will be discussed on this 
weblog later. 

For the record, you see: 

- Electrospace MLP-1 

- Electrospace MLP-1A (since 1983) 

- Electrospace MLP-2 

- Raytheon 1ST (since 1992) 

- Telecore IST-2 (since 2003) 



US Classification Levels 



Color codes for the classification levels 
used by the government and the armed 
forces of the Unites States: 




These color codes are used to mark 
the classification level of (digital) 
documents and files and also of the 
communication devices used for their 
transmission. 
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STELLARWIND by the NSA Inspector General 
(click to read the full document) 



Throughout this document, the portion markings are also not always consistent. Most of 
them are "TS//SI//STLW//NF", but one or two times "TS//SI-STLW//NF". But as this 
report is a draft, it's possible that these things have been corrected in the final version, 
which hasn't been disclosed or declassified yet. 

The 2009 Inspector General report about STELLARWIND was one of the first documents 
from the Snowden-leaks to be published, and it still is one of the most informative and 
detailed pieces about the development of NSA's interception efforts since 9/11. 



Conclusion 

In the end, it doesn't make much difference whether STELLARWIND is a control system 
on its own, or a sub-system of COMINT, but it is remarkable that for such an important 
program, the people involved apparently also weren't clear about it's exact status and 
how to put it in the right place of a classification line. 

More important though is that the declassified documents show that besides the 
STELLARWIND program, there's at least one COMINT-compartment with at least one 
sub-compartment that protect similar or related NSA collection efforts which are 
considered even more sensitive, but about which we can only speculate. 



Geplaatst door P/K op 01:05 

8+1 Recommend this on Google 
Labels: Classification 



3 comments : 

0 rsesek said... 

My hypothesis is that STELLARWIND started as an highly classified COMINT 
compartment, which is what the early documents show. The entire STLW 
system was set up under emergency legal powers after 9/11, so the legal 
framework for the collection was not long-lasting. But then the Executive 
Branch got FISA amended (a couple of times...) to grant power to collect in a 
STLW-like way. The FISA-based legal framework is somewhat different than 
what STLW was originally set up to do, and the IG report shows that STLW 
collected data in some legally questionable ways. I think that after FISA was 
updated, STELLARWIND was made a control system to protect and isolate the 
data collected under that temporary, emergency authority, which is why the 
classification guides are so explicit about not removing information from the 
control system. Data collected under the authority is collected in an SI 
compartment, just like STLW was originally. 

Also, one note: HCS (and other control system markings) are sometimes 
redacted so that a document is not associated with an agency, not because 
the marking itself is classified. 

September 16, 2014 at 5:34 PM 
Anonymous said... 

Sorry for my lack of knowledge on this site, but I don't know where to post 
updates. In your GCHQ list of abbreviations you have JARIC. This stands for 
Joint Air Reconnaissance Intelligence Cell. This uses UK air assets to record 
imagery, analyse and disseminate product. 

September 19, 2014 at 7:16 PM 
P/K said... 

Thank you for mentioning this! You can post comments below every article on 
this website. I will update the GCHQ listing accordingly. 

September 19, 2014 at 8:45 PM 
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message, you can use the PGP Public 
Key under this ID: FD9FD4E6 

You can also communicate through 
Twitter: @electrospaces or 
XMPP/Jabber chat by using the 
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The title picture of this weblog shows 
the watch floor of the NSA's National 
Security Operations Center (NSOC) in 
2006. The URL of this weblog recalls 
Electrospace Systems Inc., the 
company which made most of the top 
level communications equipment for 
the US Government. All information on 
this weblog is obtained from 
unclassified or publicly available 
sources. 
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